@report{ransomware_paloalto,
	institution = {Palo Alto Networks},
	title = {Ransomware Threat Report 2022},
	urldate={2022-05-19},
	url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf}
},

@report{ransomware_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
	urldate={2022-05-19}
},

@report{rootkit_ptsecurity,
	institution = {Positive Technologies},
	title = {Rootkits: evolution and detection methods},
	date = {2021-11-03},
	url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/}
},

@online{ebpf_linux318,
		title={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	url={https://kernelnewbies.org/Linux_3.18},
	urldate={2022-05-19}
},

@report{bvp47_report,
	institution = {Pangu Lab},
	title = {Bvp47 Top-tier Backdoor of US NSA Equation Group},
	date = {2022-02-23},
	urldate={2022-05-19},
	url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}
},

@report{bpfdoor_pwc,
	institution = {PricewaterhouseCoopers},
	title = {Cyber Threats 2021: A year in Retrospect},
	url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
	urldate={2022-05-20},
	pages = {37}
},

@proceedings{ebpf_friends,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchain},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	urldate={2022-05-22},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
},

@proceedings{ebpf_friends_23,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchain},
	organization= {DEFCON 29},
	urldate={2022-05-22},
	page={23},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
},

@proceedings{ebpf_friends_54,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchain},
	organization= {DEFCON 29},
	urldate={2022-05-22},
	page={54},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}
},

@online{ebpf_friends_github,
	title={ebpfkit},
	author = {Guillaume Fournier, Sylvain Afchain},
	urldate={2022-05-22},
	url={https://github.com/Gui774ume/ebpfkit}
},

@online{ebpf_friends_blackhat,
	title={With Friends Like eBPF, Who Needs Enemies?},
	author={Guillaume Fournier, Sylvain Baubeau},
	urldate={2022-05-22},
	date={2021-08-05},
	url={https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-With-Friends-Like-EBPF-Who-Needs-Enemies.pdf}
}

@proceedings{evil_ebpf,
	institution = {NCC Group},
	author = {Jeff Dileo},
	urldate={2022-05-22},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}
},

@online{evil_ebpf_github,
	institution = {NCC Group},
	title = {Miscellaneous eBPF Tooling},
	urldate={2022-05-22},
	url={https://github.com/nccgroup/ebpf}
}

@proceedings{god_ebpf,
	institution={NCC Group},
	author = {Jeff Dileo, Andy Olsen},
	organization= {35C3},
	urldate={2022-05-22},
	eventtitle = {Kernel Tracing With eBPF Unlocking God Mode on Linux},
	url = {https://berlin-ak.ftp.media.ccc.de/congress/2018/slides-pdf/35c3-9532-kernel_tracing_with_ebpf.pdf}
}

@online{bad_ebpf,
	author = {Pat Hogan},
	organization= {DEFCON 27},
	urldate={2022-05-22},
	date={2021-08-05},
	eventtitle = {Bad BPF - Warping reality using eBPF},
	url = {https://www.youtube.com/watch?v=g6SKWT7sROQ}
},

@online{bad_ebpf_github,
	author={Pat Hogan},
	title={Bad BPF},
	urldate={2022-05-22},
	url={https://github.com/pathtofile/bad-bpf}
}

@online{ebpf_windows,
	title={eBPF incorporation in the Linux Kernel 3.18},
	date={2014-12-07},
	urldate={2022-05-22},
	url={https://kernelnewbies.org/Linux_3.18}
},
@misc{ebpf_android,
	title={eBPF for Windows},
	urldate={2022-05-22},
	url={https://source.android.com/devices/architecture/kernel/bpf}
},



@article{bpf_bsd_origin,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}
},

@article{bpf_bsd_origin_bpf_page1,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={1}
},

@article{bpf_bsd_origin_bpf_page2,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={1}
},

@article{bpf_bsd_origin_bpf_page5,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={5}
},

@article{bpf_bsd_origin_bpf_page7,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={7}
},

@article{bpf_bsd_origin_bpf_page8,
	title={The BSD Packet Filter: A New Architecture for User-level Packet Capture},
	author={Steven McCanne, Van Jacobson},
	institution={Lawrence Berkeley Laboratory},
	urldate={2022-05-24},
	date={1992-12-19},
	url={https://www.tcpdump.org/papers/bpf-usenix93.pdf},
	pages={8}
},

@online{ebpf_history_opensource,
	title={An intro to using eBPF to filter packets in the Linux kernel},
	date={2017-08-11},
	urldate={2022-05-25},
	url={https://opensource.com/article/17/9/intro-ebpf}
},

@manual{ebpf_io,
	title={eBPF Documentation},
	urldate={2022-05-25},
	url={https://ebpf.io/what-is-ebpf/}
},

@manual{ebpf_io_arch,
	title={eBPF Documentation: Loader and verification architecture},
	urldate={2022-05-25},
	url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture}
},

@manual{ebpf_io_verification,
	title={eBPF Documentation: Verification},
	urldate={2022-05-25},
	url={https://ebpf.io/what-is-ebpf/#verification}
},

@manual{index_register,
	title={Index register},
	urldate={2022-05-25},
	url={https://gunkies.org/wiki/Index_register}
}

@online{bpf_organicprogrammer_analysis,
	title={Write a Linux packet sniffer from scratch: part two- BPF},
	date={2022-03-28},
	urldate={2022-05-25},
	url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/}
},

@manual{tcpdump_page,
	title={Tcpdump and Libpcap},
	urldate={2022-05-25},
	url={https://www.tcpdump.org}
},

@manual{ebpf_funcs_by_ver,
	title={BPF features by Linux Kernel Version},
	organization={iovisor},
	urldate={2022-05-25},
	url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md}
},

@book{brendan_gregg_bpf_book,
	title={BPF performance tools},
	author={Brendan Gregg},
	urldate={2022-05-27},
	url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/}
},

@manual{ebpf_inst_set,
	title={eBPF instruction set},
	urldate={2022-05-27},
	url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html}
},

@manual{8664_inst_set_specs,
	title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4},
	author={Intel},
	volume={2A},
	pages={507},
	urldate={2022-05-13},
	urldate={2022-05-27},
	url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html}
},

@proceedings{ebpf_starovo_slides,
	title={BPF - in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	urldate={2022-05-27},
	institution={PLUMgrid}
},

@proceedings{ebpf_starovo_slides_page23,
	title={BPF – in-kernel virtual machine},	
	url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf},
	date={2015-02-20},
	urldate={2022-05-27},
	institution={PLUMgrid},
	pages={23}
},

@manual{ebpf_JIT,
	title={A JIT for packet filters},
	url={https://lwn.net/Articles/437981/},
	date={2011-04-12},
	urldate={2022-05-27},
	author={Jonathan Corbet}
},

@proceedings{ebpf_JIT_demystify_page13,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	urldate={2022-05-27},
	pages={13}
},

@proceedings{ebpf_JIT_demystify_page14,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	urldate={2022-05-27},
	date={2018-09-11},
	pages={14}
},

@proceedings{ebpf_JIT_demystify_page17-22,
	title={Demystify eBPF JIT Compiler},
	url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf},
	institution={Netronome},
	author={Jiong Wang},
	date={2018-09-11},
	urldate={2022-05-27},
	pages={17-22}
},

@book{brendan_gregg_bpf_book_bpf_vm,
	title={BPF performance tools},
	author={Brendan Gregg},
	urldate={2022-05-27},
	url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code}
},

@manual{jit_enable_setting,
	title={bpf\_jit\_enable},
	urldate={2022-05-27},
	url={https://sysctl-explorer.net/net/core/bpf_jit_enable/}
},

@manual{ebpf_verifier_kerneldocs,
	title={eBPF verifier},
	urldate={2022-05-29},
	url={https://kernel.org/doc/html/latest/bpf/verifier.html}
},

@online{ebpf_bounded_loops,
	title={Bounded loops in BPF for the 5.3 kernel},
	url={https://lwn.net/Articles/794934/},
	date={2019-06-30},
	urldate={2022-05-29},
	author={Marta Rybczynska}
},

@manual{ebpf_maps_kernel,
	title={eBPF maps},
	urldate={2022-05-29},
	url={https://www.kernel.org/doc/html/latest/bpf/maps.html}
},

@manual{ebpf_maps_rddocs,
	title={eBPF maps},
	urldate={2022-05-29},
	url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html}
},

@manual{bpf_syscall,
	title={bpf(2)- Linux manual page},
	urldate={2022-05-29},
	url={https://man7.org/linux/man-pages/man2/bpf.2.html}
},

@manual{ebpf_helpers,
	title={bpf-helpers(7)- Linux manual page},
	urldate={2022-05-29},
	url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html}
},

@online{xdp_gentle_intro,
	title={A Gentle Introduction to XDP},
	date={2022-02-03},
	urldate={2022-06-01},
	url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/},
	author={Daniel Lavie}
},

@manual{xdp_manual,
	title={XDP actions},
	urldate={2022-06-01},
	url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html}
},

@online{tc_differences,
	title={tc/BPF and XDP/BPF},
	urldate={2022-06-01},
	url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/},
	date={2019-03-13},
	author={Hangbin}
},

@online{tc_direct_action,
	title={Understanding tc “direct action” mode for BPF},
	url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/},
	date={2020-04-11},
	urldate={2022-06-01},
	author={Quentin Monnet}
},

@online{tc_docs_complete,
	title={Traffic Control HOWTO},
	urldate={2022-06-01},
	url={http://linux-ip.net/articles/Traffic-Control-HOWTO/},
	author={Martin A. Brown},
	date={2006-10-01}
},

@online{tc_ret_list_complete,
	title={Linux kernel source tree},
	url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h},
	urldate={2022-06-01},
	indextitle={index : kernel/git/torvalds/linux.git}
},

@manual{tp_kernel,
	title={Using the Linux Kernel Tracepoints},
	urldate={2022-06-01},
	url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html},
	author={Mathieu Desnoyers}
},

@manual{kprobe_manual,
	title={Kernel Probes (Kprobes)},
	urldate={2022-06-01},
	author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu},
	url={https://www.kernel.org/doc/html/latest/trace/kprobes.html}
},

@online{kallsyms_kernel,
	title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes},
	author={Nick Alcock},
	date={2021-06-06},
	urldate={2022-06-01},
	url={https://lwn.net/Articles/862021/}
},

@misc{bcc_github,
	title={BPF Compiler Collection (BCC)},
	urldate={2022-06-01},
	url={https://github.com/iovisor/bcc}
},

@misc{libbpf_upstream,
	title={BPF next kernel tree},
	urldate={2022-06-01},
	url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next}
},

@misc{libbpf_github,
	title={libbpf GitHub},
	urldate={2022-06-01},
	url={https://github.com/libbpf/libbpf}
},

@online{libbpf_core,
	title={BPF Portability and CO-RE},
	url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html},
	urldate={2022-06-01},
	author={Andrii Nakryiko},
	date={2020-02-19}
},

@manual{ebpf_kernel_flags,
	title={Installing BCC: Kernel Configuration},
	urldate={2022-06-02},
	url={https://github.com/iovisor/bcc/blob/master/INSTALL.md}
},

@manual{ubuntu_caps,
	title={capabilities - overview of Linux capabilities},
	urldate={2022-06-02},
	url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html}
},

@proceedings{evil_ebpf_p9,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	urldate={2022-06-02},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
	pages={9}
},

@misc{ebpf_caps_intro,
	title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF},
	urldate={2022-06-02},
	url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/}
},

@online{ebpf_caps_lwn,
	title={capability: introduce CAP\_BPF and CAP\_TRACING},
	urldate={2022-06-02},
	url={https://lwn.net/Articles/797807/}
},

@misc{unprivileged_ebpf,
	title={Reconsidering unprivileged BPF},
	urldate={2022-06-03},
	url={https://lwn.net/Articles/796328/}
},

@misc{cve_unpriv_ebpf,
	title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability},
	urldate={2022-06-03},
	url={https://www.openwall.com/lists/oss-security/2022/01/11/4}
},

@misc{unpriv_ebpf_ubuntu,
	title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM},
	urldate={2022-06-03},
	url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047}
},

@misc{unpriv_ebpf_redhat,
	title={CVE-2022-0002},
	urldate={2022-06-03},
	url={https://access.redhat.com/security/cve/cve-2021-4001}
},

@online{unpriv_ebpf_suse,
	title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default},
	urldate={2022-06-03},
	url={https://www.suse.com/support/kb/doc/?id=000020545}
},

@manual{8664_params_abi,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={148},
	date={2018-01-28},
	urldate={2022-06-03},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@proceedings{ebpf_friends_p15,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
	urldate={2022-06-03},
	pages={15}
},

@misc{ebpf_override_return,
	title={BPF-based error injection for the kernel},
	urldate={2022-06-06},
	url={https://lwn.net/Articles/740146/}
},

@misc{code_kernel_open,
	title={Linux kernel source code},
	urldate={2022-06-06},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192}
},

@misc{code_kernel_syscall,
	title={Linux kernel source code},
	urldate={2022-06-06},
	url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233}
},

@online{fault_injection,
	title={Injecting faults into the kernel},
	urldate={2022-06-06},
	url={https://lwn.net/Articles/209257/},
	date={2006-11-04}
},

@online{mem_page_arch,
	title={Memory Management 101: Introduction
to Memory Management in Linux},
	url={https://events19.linuxfoundation.org/wp-content/uploads/2017/12/MM-101-Introduction-to-Linux-Memory-Management-Christoph-Lameter-Jump-Trading-LLC-1.pdf},
	date={2017-12-01},
	author={Christopher Lameter},
	urldate={2022-06-06},
	organization={The Linux Foundation Open Source Summit},
	institution={Jump Trading LLC}
},

@online{page_faults,
	title={Understanding page faults and memory swap-in/outs},
	url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry},
	urldate={2022-06-06},
	date={2019-08-19},
	author={Doug Breaker}
},

@online{mem_arch_proc,
	title={Stack-based Buffer Overflow - Part 1},
	url={https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html},
	urldate={2022-06-06},
	date={2021-05-23},
	author={Marcos Sánchez Bajo}
},

@manual{8664_params_abi_p18,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={18},
	date={2018-01-28},
	urldate={2022-06-06},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@misc{write_helper_non_fault,
	title={probe\_write\_common\_error},
	urldate={2022-06-06},
	url={https://www.spinics.net/lists/bpf/msg16795.html}
},

@misc{code_vfs_read,
	title={Linux kernel source code},
	urldate={2022-06-07},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476}
},

@manual{8664_params_abi_p1922,
	title={System V Application Binary Interface
AMD64 Architecture Processor Supplement},
	author={H.J. Lu et al.},
	pages={19-22},
	date={2018-01-28},
	urldate={2022-06-06},
	url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf}
},

@online{network_layers,
	title={The Network Layers Explained [with examples]},
	author={Alienor},
	date={2018-11-28},
	urldate={2022-06-08},
	url={https://www.plixer.com/blog/network-layers-explained/}
},

@online{tcp_reliable,
	title={Transmission Control Protocol},
	date={2022-04-19},
	organization={IBM},
	urldate={2022-06-08},
	url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol}
},

@misc{tcp_handshake,
	title={Three-Way Handshake},
	urldate={2022-06-08},
	url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake}
},

@proceedings{evil_ebpf_p6974,
	institution = {NCC Group},
	author = {Jeff Dileo},
	organization= {DEFCON 27},
	urldate={2022-06-08},
	eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime},
	url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf},
	pages={69-74}
},

@proceedings{ebpf_friends_p37,
	institution = {Datadog},
	author = {Guillaume Fournier, Sylvain Afchainthe},
	organization= {DEFCON 29},
	eventtitle = {Cyber Threats 2021: A year in Retrospect},
	url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf},
	urldate={2022-06-08},
	pages={37}
},

@misc{rop_prog_finder,
	title={ROPgadget Tool},
	urldate={2022-06-08},
	url={https://github.com/JonathanSalwan/ROPgadget}
},

@misc{glibc,
	title={The GNU C library},
	urldate={2022-06-08},
	url={https://www.gnu.org/software/libc/}
},

@online{plt_got_technovelty,
	title={PLT and GOT - the key to code sharing and dynamic libraries},
	author={Ian Wienand},
	urldate={2022-06-08},
	url={https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html},
	date={2011-05-11}
},

@online{plt_got_overlord,
	title={GOT and PLT for pwning.},
	author={David Tomaschik},
	urldate={2022-06-08},
	url={https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html},
	date={2017-03-19}
},

@manual{elf,
	title={ELF},
	urldate={2022-06-08},
	url={https://wiki.osdev.org/ELF}
},

@misc{pie_exploit,
	title={Position Independent Code},
	urldate={2022-06-08},
	url={https://ir0nstone.gitbook.io/notes/types/stack/pie}
},

@misc{aslr_pie_intro,
	title={aslr/pie intro},
	urldate={2022-06-08},
	url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro}
},

@online{relro_redhat,
	title={Hardening ELF binaries using Relocation Read-Only (RELRO)},
	author={Huzaifa Sidhpurwala},
	urldate={2022-06-08},
	date={2019-01-28},
	url={https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro}
},

@online{cet_windows,
	title={R.I.P ROP: CET Internals in Windows 20H1},
	author={Yarden Shafir, Alex Ionescu},
	date={2020-05-01},
	urldate={2022-06-08},
	url={https://windows-internals.com/cet-on-windows/}
},

@online{cet_linux,
	title={Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration},
	author={Michael Larabel},
	urldate={2022-06-08},
	date={2021-07-21},
	url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29}
},

@misc{canary_exploit,
	title={Stack Canaries},
	urldate={2022-06-08},
	url={https://ir0nstone.gitbook.io/notes/types/stack/canaries}
},

@misc{rawtcp_lib,
	title={RawTCP\_Lib},
	author={Marcos Sánchez Bajo},
	urldate={2022-06-10},
	url={https://github.com/h3xduck/RawTCP_Lib}
},

@manual{proc_fs,
	title={proc(5) — Linux manual page},
	urldate={2022-06-10},
	url={https://man7.org/linux/man-pages/man5/proc.5.html}
},

@misc{proc_mem_write,
	title={enable writing to /proc/pid/mem},
	urldate={2022-06-12},
	url={https://lwn.net/Articles/433326/}
},

@online{reverse_shell,
	title={Reverse Shell},
	urldate={2022-06-12},
	url={https://www.imperva.com/learn/application-security/reverse-shell/}
}, 

@misc{sudoers_man,
	title={die.net sudoers(5) - Linux man page},
	urldate={2022-06-13},
	url={https://linux.die.net/man/5/sudoers}
},

@misc{syscall_reference,
	title={Linux Syscall Reference (64bit)},
	urldate={2022-06-13},
	url={https://syscalls64.paolostivanin.com/}
},

@online{code_kernel_execve,
	title={Linux kernel code},
	urldate={2022-06-13},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/exec.c#L2054}
},

@online{environ,
	title={How to Set and List Environment Variables in Linux},
	date={2021-06-13},
	url={https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/}
},

@misc{execve_man,
	title={execve(2) — Linux manual page},
	urldate={2022-06-13},
	url={https://man7.org/linux/man-pages/man2/execve.2.html}
},

@online{bpf_probe_write_user_errors,
	title={[iovisor-dev] Accessing user memory and minor page faults},
	date = {2017-08-06}, 
	urldate={2022-06-15},
	url={https://lists.linuxfoundation.org/pipermail/iovisor-dev/2017-September/001035.html}
},

@misc{c_standard_main,
	title={Main function},
	urldate={2022-06-15},
	url={https://en.cppreference.com/w/c/language/main_function}
},

@misc{busybox_argv,
	title={BusyBox Examples},
	urldate={2022-06-15},
	url={https://en.wikipedia.org/wiki/BusyBox#Examples}
},

@misc{ips,
	title={What is an intrusion prevention system?},
	organization={VMware},
	urldate={2022-06-16},
	url={https://www.vmware.com/topics/glossary/content/intrusion-prevention-system.html}
},

@misc{port_knocking,
	title={Port Knocking -- Network Authentication Across Closed Ports},
	author={Martin Krzywinski},
	urldate={2022-06-16},
	url={https://www.muppetwhore.net/sysadmin/html/v12/i06/a2.htm}
},

@report{bvp47_report_p49,
	institution = {Pangu Lab},
	title = {Bvp47 Top-tier Backdoor of US NSA Equation Group},
	date = {2022-02-23},
	pages={49},
	urldate={2022-06-16},
	url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf}
},

@misc{pangu_lab,
	title={Welcome to Pangu Research Lab},
	urldate={2022-06-16},
	url={https://pangukaitian.github.io/pangu/?lg=en}
},

@misc{rfc_tcp4,
	title={TFC 793},
	institution={Information Sciences Institute, University of Southern California},
	date={1981-09-01},
	urldate={2022-06-16},
	url={https://datatracker.ietf.org/doc/html/rfc793}
},

@misc{tcp_syn_payload,
	title={TCP Fast Open: expediting web services},
	date={2012-08-01},
	urldate={2022-06-16},
	author={Michael Kerrisk},
	url={https://lwn.net/Articles/508865/}
},

@book{cisco_syn_firewall,
	title={CCNP Security Firewall 642-617 Official Cert Guide},
	date={2011-10-01},
	author={David Hucaby, David Garneau, Anthony Sequeira},
	pages={436},
	urldate={2022-06-17},
	url={https://books.google.es/books?id=-lvwaqFbIS8C&dq=syn+packet+firewall+ignore+payload}
},

@misc{hive_implant,
	title={(U) Hive Engineering Development Guide},
	date = {2014-10-15},
	urldate={2022-06-17},
	url={https://wikileaks.org/vault7/document/hive-DevelopersGuide/hive-DevelopersGuide.pdf}
},

@misc{crc,
	title={Cyclic redundancy check},
	organization={Wikipedia},
	urldate={2022-06-17},
	url={https://en.wikipedia.org/wiki/Cyclic_redundancy_check}
},

@misc{file_descriptors,
	title={File Descriptor},
	urldate={2022-06-17},
	url={http://www.cse.cuhk.edu.hk/~ericlo/teaching/os/lab/11-FS/fd.html}
},

@misc{raw_sockets,
	title={raw(7) — Linux manual page},
	urldate={2022-06-18},
	urlhttps://man7.org/linux/man-pages/man7/raw.7.html={}
},

@misc{cron,
	title={How To Add Jobs To cron Under Linux or UNIX},
	date={2022-06-02},
	author={Vivek Gite},
	urldate={2022-06-18},
	url={https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/}
},

@misc{linux_daemons,
	title={Linux Jargon Buster: What are Daemons in Linux?},
	date={2021-06-05},
	author={Bill Dyer},
	urldate={2022-06-18},
	url={https://itsfoss.com/linux-daemons/}
},

@misc{code_kernel_getdents64,
	title={Linux kernel source code},
	urldate={2022-06-19},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L351}
},

@misc{getdents_man,
	title={getdents(2) — Linux manual page},
	urldate={2022-06-19},
	url={https://man7.org/linux/man-pages/man2/getdents.2.html}
},

@misc{code_kernel_linux_dirent64,
	title={Linux kernel source code},
	urldate={2022-06-19},
	url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/dirent.h#L5}
},

@misc{code_kerel_getdents_buffer_alignation,
	title={Linux kernel source code},
	urldate={2022-06-19},
	url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L313}
},

@misc{xcellerator_getdents,
	title={Linux Rootkits Part 6: Hiding Directories},
	date={2020-09-19},
	urldate={2022-06-19},
	author={TheXcellerator},
	url={https://xcellerator.github.io/posts/linux_rootkits_06/}
},

@misc{embracethered_getdents,
	title={Offensive BPF: Understanding and using bpf\_probe\_write\_user},
	date={2021-10-20},
	urldate={2022-06-19},
	author={Johann Rehberger},
	url={https://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/}
},

@misc{dtype_dirent,
	title={Format of a Directory Entry},
	urldate={2022-06-19},
	url={https://www.gnu.org/software/libc/manual/html_node/Directory-Entries.html}
},

@misc{virtualbox_page,
	title={VirtualBox},
	urldate={2022-06-21},
	url={https://www.virtualbox.org/}
},

@misc{bridged_networking,
	title={Bridgeg Networking},
	urldate={2022-06-21},
	url={https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/network_bridged.html}
},

@misc{nat_comptia,
	title={What Is NAT?},
	institution={CompTIA},
	urldate={2022-06-21},
	url={https://www.comptia.org/content/guides/what-is-network-address-translation}
},

@misc{kernel_modules_restrict,
	title={Increasing Linux kernel integrity},
	author={Michael Boelen},
	date={2015-05-12},
	urldate={2022-06-22},
	url={https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/}
},

@misc{jynx2_infosecinstitute,
	title={Blackhat Academy},
	author={Blackhat Academy},
	date={2012-03-15},
	urldate={2022-06-22},
	url={https://resources.infosecinstitute.com/topic/jynx2-sneak-peek-analysis/}
},

@article{ldpreload_so_jynx,
	title={Linux Rootkit Detection With OSSEC},
	author={Sally Vandeven},
	date={2014-03-26},
	pages={18-19},
	urldate={2022-06-22},
	url={https://www.giac.org/paper/gcia/8751/rootkit-detection-ossec/126976}
},

@proceedings{ldpreload_pros,
	title={The Continued Evolution of
Userland Linux Rootkits},
	pages={3-6},
	date={2022-03-13},
	urldate={2022-06-22},
	url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf}
},

@proceedings{ldpreload_pros_2327,
	title={The Continued Evolution of
Userland Linux Rootkits},
	pages={23-27},
	date={2022-03-13},
	urldate={2022-06-22},
	url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf}
},

@misc{jynx_github,
	title={Jynx-kit},
	author={BlackHatAcademy.org},
	urldate={2022-06-22},
	url={https://github.com/chokepoint/jynxkit}
},

@misc{jynx2_github,
	title={Jynx-kit (2)},
	author={BlackHatAcademy.org},
	urldate={2022-06-22},
	url={https://github.com/chokepoint/Jynx2}
},

@misc{azazel_github,
	title={Azazel},
	urldate={2022-06-22},
	url={https://github.com/chokepoint/azazel}
},

@misc{azazel_wiki,
	title={Azazel},
	urldate={2022-06-22},
	url={https://web.archive.org/web/20141102234744/http://blackhatlibrary.net/Azazel#Hooking_Methods}
},

@misc{ld_preload_detect,
	title={Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload},
	date={2022-05-18},
	urldate={2022-06-22},
	url={https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload/}
},

@misc{suckit_rootkit,
	title={SucKIT rootkit},
	urldate={2022-06-22},
	url={https://github.com/CSLDepend/exploits/blob/master/Rootkit_tools/suckit2priv.tar.gz}
},

@misc{suckit_lasamhna,
	title={Linux Kernel Rootkits},
	urldate={2022-06-22},
	url={https://www.la-samhna.de/library/rootkits/basics.html#FLOW}
},

@misc{dev_kmem,
	title={kmem(4) - Linux man page},
	urldate={2022-06-22},
	url={https://linux.die.net/man/4/kmem}
},

@misc{dev_kmem_debian,
	title={mem(4)},
	urldate={2022-06-22},
	url={https://manpages.debian.org/buster-backports/manpages/port.4.en.html}
},

@misc{dev_kmem_off_default,
	title={Change CONFIG\_DEVKMEM default value to n},
	urldate={2022-06-22},
	url={https://lore.kernel.org/all/20161007035719.GB17183@kroah.com/T/}
},

@misc{diamorphine_github,
	title={Diamorphine},
	url={https://github.com/m0nad/Diamorphine}
},

@misc{incibe_rootkit_lkm,
	title={Malware in Linux: Kernel-mode-rootkits},
	author={Antonio López},
	urldate={2022-06-22},
	date={2015-03-26},
	url={https://www.incibe-cert.es/en/blog/kernel-rootkits-en}
},

@misc{reptile_github,
	title={Reptile},
	urldate={2022-06-22},
	url={https://github.com/f0rb1dd3n/Reptile}
},

@misc{usermode_helper_lkm,
	title={call\_usermodehelper, Module Loading},
	urldate={2022-06-22},
	url={https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper.html}
},

@misc{rasps,
	title={RASP rings in a new Java application security paradigm},
	author={Hussein Badakhchani},
	date={2016-10-20},
	urldate={2022-06-22},
	url={https://www.infoworld.com/article/3125515/rasp-rings-in-a-new-java-application-security-paradigm.html}
},

@misc{sql_injection,
	title={SQL Injection},
	urldate={2022-06-22},
	url={https://www.w3schools.com/sql/sql_injection.asp}
},

@misc{boopkit,
	title={Boopkit},
	author={Kris Nóva},
	urldate={2022-06-22},
	url={https://github.com/kris-nova/boopkit}
},

@misc{symbiote,
	title={Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat},
	institution={The BlackBerry Research & Intelligence Team},
	date={2022-06-09},
	urldate={2022-06-22},
	url={https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat}
},

@misc{pentest_redteam,
	title={Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues},
	date={2016-06-23},
	urldate={2022-06-22},
	author={Kirk Hayes},
	url={https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/}
},

@misc{nist_cyber,
	title={Framework for Improving Critical Infrastructure Cybersecurity},
	date={2018-04-16},
	urldate={2022-06-22},
	institution={National Institute of Standards and Technology},
	url={https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf}
},

@misc{mitre_blog,
	title={ATT\&CK 101},
	author={Blake Strom},
	urldate={2022-06-22},
	date={2018-08-21},
	url={https://medium.com/mitre-attack/att-ck-101-17074d3bc62}
},

@misc{mitre_blog_2,
	title={What Is the MITRE ATT\&CK Framework?},
	urldate={2022-06-22},
	url={https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html}
},

@misc{mitre_matrix_linux,
	title={ATT\&CK Matrix for Enterprise},
	urldate={2022-06-22},
	url={https://attack.mitre.org/matrices/enterprise/linux/}
},

@misc{glass_analyst,
	title={Cyber Security Analist salary in Madrid},
	urldate={2022-06-22},
	url={https://www.glassdoor.es/Sueldos/madrid-cyber-security-analyst-sueldo-SRCH_IL.0,6_IM1030_KO7,29.htm}
},

@misc{glass_manager,
	title={Project Manager salary in Madrid},
	urldate={2022-06-22},
	url={https://www.glassdoor.es/Sueldos/madrid-project-manager-sueldo-SRCH_IL.0,6_IM1030_KO7,22.htm?clickSource=searchBtn}
},

@misc{glass_programmer,
	title={Programmer salary in Madrid},
	urldate={2022-06-22},
	url={https://www.glassdoor.es/Sueldos/madrid-programmer-sueldo-SRCH_IL.0,6_IM1030_KO7,17.htm?clickSource=searchBtn}
},

@misc{ebpfkit_monitor_github,
	title={ebpfkit-monitor},
	author = {Guillaume Fournier, Sylvain Afchain},
	urldate={2022-06-22},
	url={https://github.com/Gui774ume/ebpfkit-monitor}
},

@misc{lkm_signing,
	title={Kernel module signing facility},
	urldate={2022-06-22},
	url={https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html}
},

@misc{bpf_signing,
	title={Toward signed BPF programs},
	author={Jonathan Corbet},
	urldate={2022-06-22},
	date={2021-04-22},
	url={https://lwn.net/Articles/853489/}
},

@misc{arch_linux_sign,
	title={Signed kernel modules},
	urldate={2022-06-22},
	url={https://wiki.archlinux.org/title/Signed_kernel_modules}
},

@misc{triplecross_github,
	title={TripleCross},
	urldate={2022-06-23},
	author={Marcos Sánchez Bajo},
	url={https://github.com/h3xduck/TripleCross}
},

@misc{repo_simple_timer,
	title={simple\_timer.c},
	urldate={2022-06-23},
	url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/simple_timer.c}
},

@misc{repo_execve_hijack,
	title={simple\_timer.c},
	urldate={2022-06-23},
	url={https://github.com/h3xduck/TripleCross/blob/master/src/helpers/execve_hijack.c}
},

@misc{downgrade_attack,
	title={What is a downgrade attack and how to prevent it},
	author={Borislav Kiprin},
	date={2022-04-18},
	urldate={2022-06-23},
	url={https://crashtest-security.com/downgrade-attack/}
}






